Where to store JWT - ace-han/vue-drf-jwt GitHub Wiki

As per
https://dev.to/rdegges/please-stop-using-local-storage-1i04 https://stackoverflow.com/questions/34817617/should-jwt-be-stored-in-localstorage-or-cookie

We should stop store JWT in localStorage. Instead, we should store JWT in Cookie

  • Single Page Application (SPA)
    Cookie
  1. login set access_token and refresh_token in cookies
  2. go to next=url if any
  3. before ajax, get CSRF token from js-cookie and set it in as config.headers['X-CSRFToken'] = $csrfToken according to csrf.py in django/middleware/csrf.CsrfViewMiddleware#process_view
  4. for every ajax with response status code 4xx, do_refresh_token and queue-up deferred ajax calls
  5. if do_refresh_token get a new access_token then do the queue-up deferred ajax calls
  6. else redirect to login
  • Mobile
    Android: SharedPreferences
    iOS: KeyChain or UserDefault
  • Weapp and likewise app
    localStorage
    (Yes, localStorage. But we can do it with weapp-cookie to keep aligned with the operations in SPA)